Brasenose College GDPR ROPA – ICT Functions
Including users of College email and telephone/mobile devices – v1.4 (Reviewed July 2023)
| ID | Category of personal data | Source of the data | Why we process it | How long we keep this data | Our lawful basis for processing | Details relating to lawful basis (where applicable) | Special category / public interest / criminal data |
|---|---|---|---|---|---|---|---|
| 1 | Firewall, security and PC misuse incident log files consisting of the date and time of incident, which user (name and/or user name), details of the incident and any consequential action taken. | We generate this data about you. | In the course of maintaining the College’s networks, protecting their integrity, investigating computer misuse and minimising the risk of recurrence. Such records may also be used for disciplinary purposes where staff or students have breached College policies. | 7 years from the date we learn of the incident. | Processing is necessary for the purposes of our or someone else’s legitimate interests, except where overridden by your data protection rights and freedoms; processing is also necessary for compliance with a legal obligation. | The College has a legitimate interest in maintaining the integrity of its systems, investigating misuse and taking action to prevent misuse recurring. Keeping such records is also necessary to comply with security and accountability obligations under data protection laws. | Processing is necessary for the prevention or detection of an unlawful act and must be carried out without consent so as not to prejudice those purposes. |
| 2 | Login information for students, staff, fellows and visitors consisting of time, date and duration of login, username and name, university card number, IP and MAC addresses, records of which users have printed documents and when, details of any printing charges. Also records of access levels (e.g. staff, student, visitor, administrator), encrypted/obfuscated password information, and records of internet usage (sites visited, time/date). | We obtain this data from you; we generate this data about you. | As a necessary part of managing and operating our systems and controlling access. In cases of misconduct or copyright abuse such records may be used for investigation or disciplinary action. Internet usage records are used for troubleshooting, identifying affected users in a security incident, and for monitoring or preventing: malicious network traffic, suspected access of illegal materials, alleged copyright infringement and/or violations of University or College IT or disciplinary regulations. Encrypted password data is held to enable login access. |
Login information and internet use logs are retained for 12 months. Password and access level information is retained for as long as you are entitled to use our systems (e.g. while a student or staff member). | Processing is necessary for legitimate interests, for compliance with a legal obligation, and (for staff/students) for performance of our contract with you. | The College has a legitimate interest in keeping records of system access, website activity and use to assist with IT security and disciplinary actions if appropriate. Monitoring and logging are also required to comply with the College’s accountability obligations under data protection law. | Processing is necessary for prevention or detection of an unlawful act and must be carried out without consent so as not to prejudice those purposes. |
| 3 | IT support logs and records consisting of user names/contact information, dates and times of requests or problems, details of requests and steps taken, and resolution details. | We generate this data about you. | In the normal course of operating and maintaining our systems. | IT support logs are retained for 7 years. | Processing is necessary for legitimate interests and for compliance with a legal obligation. | The College has a legitimate interest in keeping such records to help maintain the functioning and security of its systems. Keeping such records is also necessary to comply with its accountability obligations under data protection law. | |
| 4 | Records of telephone calls made and received (numbers called to/from, and call durations). | We obtain this data from you; data is also provided by telephone service providers (mobile and landline). | We use this data to ensure accurate billing by providers and to check that College telephones are used in accordance with policy. | Records are retained for 7 years. | Processing is necessary for legitimate interests, except where overridden by your data protection rights and freedoms. | The College has a legitimate interest in the proper and efficient administration of College telephones and ensuring correct use. | N/A |
Version control: v1.4 (Reviewed July 2023)